I run a Ubuntu 11.10 server at my house and in the past I have been using apt-get to keep all my packages up to date. Recently I noticed that when I run apt-get update/upgrade the version of some software is usually not the latest. Apache for instance is a good x.2.x versions behind the latest on Apache's website. The change logs that Apache provides indicates that the version on their site has updated several security vulnerabilities. This means that there are vulnerabilities for the version I have installed using apt-get.

In simple terms, is it better to download and compile essential software from source such as SSH and Apache to have the most secure and up-to-date version or is using a package manager such as apt-get a better option? I run only 1-2 servers so automating or updating multiple machines does not apply to me. Thank you!

2 Answers
2

Security vulnerabilites in packages gets backported by Ubuntu developers into the ubuntu-maintained package. Even though you might not always get the latest software-versions, you will be assured that the version you have installed is supported with security upgrades through the entire life-cycle of the Ubuntu release.

I recommend you to use the available ubuntu-packages whenever possible. If you need a newer version of a package because of a lacking feature in the current version, you should check for a maintained third-party PPA (Personal Package Archive).

And when you examine the change logs, you'll see that those same vulnerabilities are fixed in the most recent packages.

This practice is called backporting - new versions are avoided, since they might introduce new features (and bugs). The security vulnerability patches are applied, but the version number of the software in use does not change.